From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: Iptables
Date: Thu, 19 May 2005 15:33:48 -0400 [thread overview]
Message-ID: <20050519193348.GA8623@bender.817west.com> (raw)
In-Reply-To: <200505191945.22293.chadley@pinteq.co.za>
On Thu, May 19, 2005 at 07:45:22PM +0200, Chadley Wilson wrote:
> Greetings,
>
> Sort of still a newbie with iptables! I ve been at it for a while, but
> struggle to understand when things don't work when I think they are right.
>
> OK heres the problem:
>
> I have a dns server configure, master zone int network, slave is external dns
> box.
>
> Dhcp server only internal.
>
> Iptables must do the following:
> allow one int ip (me) to the external int face for everything. (the external
> interface is actually our other internal network which has the gateway to the
> internet)
>
> when I set my default policy to drop, my DNS and windows file sharing from the
> ext network doesn't work. My mail and internet still work. I have removed the
> broken lines and set my policy back to ACCEPT. But I would feel much safer if
> it were drop and only allow services that I choose. As it is now, I can
> access the net, mail and windows file shares, the dns for the FTP server is
> working and all is bliss.
> How do I make this more secure?
>
> etel is our gateway
> my router has 6 cards in it. 5 are bond0 1 eth0 int and ext respectively.
>
> Attached is my iptables file,
>
> Please could some one show me what is wrong I can't figure it out.
> ######## Firewall Setup ##################
> ######## Config ##################
> #set -x
> ipt="/usr/sbin/iptables"
> ext="eth0"
> int="bond0"
> lo="127.0.0.1"
> chad="192.168.2.5"
> etel="196.25.100.28"
> #################################################
>
> #################################################
> #### ####
> #### BASIC SETUP ####
> #### ####
> #################################################
>
> #Enable IP Forwarding
> echo "1" >> /proc/sys/net/ipv4/ip_forward
>
> #Clear All Tables
> ${ipt} -t filter -F
> ${ipt} -t nat -F
there's also a mangle table...
iptables -t mangle -F
> ## Allow all from local interfaces [localhost]
> ${ipt} -t filter -A INPUT -s ${lo} -j ACCEPT
>
>
> ## Allow all prerouting
> ${ipt} -t nat -A PREROUTING -s 192.168.2.0/255.255.255.0 -j ACCEPT
> ${ipt} -t nat -A PREROUTING -s 196.25.100.5/255.255.255.0 -j ACCEPT
um--what exactly are you trying to accomplish with these?
> ## Allow all forwarding
> ${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -m state --state RELATED,ESTABLISHED -j ACCEPT
> ${ipt} -t filter -A FORWARD -i ${ext} -o ${int} -m state --state RELATED,ESTABLISHED -j ACCEPT
how about just:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> ## Allow pings
> ${ipt} -t filter -A INPUT -p icmp -j ACCEPT
>
> ## Keep established connections on all interfaces
> ${ipt} -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
we just did this above...
> ${ipt} -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> ## Accept www from internet {ext}
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 80 -j ACCEPT
you run a web server on your firewall?
> #################################################
> #### ####
> #### RULES ####
> #### ####
> #################################################
>
> ## Masquerade {chad} outgoing to internet
> ${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -j MASQUERADE
> ${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -s ${chad} -j ACCEPT
>
> ## Accept SSH from {etel}
> ${ipt} -t filter -A INPUT -i ${ext} -s ${etel} -p tcp --dport 22 -j ACCEPT
>
> ## Accept ssh from all internal
> ${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 22 -j ACCEPT
>
> ## Accept telnet
> ${ipt} -t filter -A INPUT -p tcp --dport 23 -j ACCEPT
> ${ipt} -t filter -A INPUT -p udp --dport 23 -j ACCEPT
1) telnet only uses TCP, not UDP.
2) telnet? c'mon, what is this? 1997?
> ## Accept incoming SMTP
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 25 -j ACCEPT
>
> ## Accept external POP3
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 110 -j ACCEPT
you run SMTP and POP3 servers on your firewall too? i'm sensing a
pattern here...
> ## Allow mail from ext to int
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 25 --state NEW,ESTABLISHED,RELATED -j ACCEPT
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 110 --state NEW,ESTABLISHED,RELATED -j ACCEPT
um--we've already ACCEPTed all ESTABLISHED,RELATED packets in
FORWARD--so it's redundant to keep using them in rules. so we need to
create rules that allow packets that are NEW. if you're trying to allow
$chad to connect to 196.25.100.21 on SMTP and POP3--those should be
dport, not sport:
iptables -A FORWARD -i $int -o $ext -p tcp -s $chad \
-d 196.25.100.21 --dport 25 -j ACCEPT
iptables -A FORWARD -i $int -o $ext -p tcp -s $chad \
-d 196.25.100.21 --dport 110 -j ACCEPT
from the text of you message, you want to allow $chad out on any
service, though--right? then how about:
iptables -A FORWARD -i $int -o $ext -p tcp -s $chad -j ACCEPT
(which you already have in here if we scroll back up a bit)
> ## Allow DNS updates
> ${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 53 -j ACCEPT
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 53 -j ACCEPT
the DNS server runs on the firewall too, eh? how's about:
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
(you need TCP for zone transfers, and UDP for regular name resolution
requests)
> ## Accept all from local interfaces
> ${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
> ${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
a rule so nice, we need it twice?
> ## Drop all the rest, incoming , and forward between interfaces
> #${ipt} -t filter -A INPUT -j DROP
> #${ipt} -t filter -A FORWARD -j DROP
-j
--
"Peter: Hey, Brian. If cops are pigs, does that make you a Snausage?
Brian: Clever, Peter. Did you stay up all night writing that?
Peter: No, I got to bed around two, two-thirty."
--Family Guy
next prev parent reply other threads:[~2005-05-19 19:33 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-19 17:45 Iptables Chadley Wilson
2005-05-19 18:35 ` rebuilding an OpensourceVideoconferencechattool codewarrior
2005-05-19 19:33 ` Jason Opperisano [this message]
2005-05-19 20:13 ` Iptables Chadley Wilson
2005-05-19 21:43 ` Iptables Jason Opperisano
2005-05-20 5:38 ` Iptables Chadley Wilson
2005-05-20 5:50 ` Iptables Jason Opperisano
2005-05-20 6:04 ` Iptables Rob Sterenborg
2005-05-20 6:26 ` Iptables Rob Sterenborg
-- strict thread matches above, loose matches on Subject: below --
2012-04-14 12:20 IPTables nullv
2012-04-13 23:54 IPTables nullv
2012-04-14 9:35 ` IPTables Amos Jeffries
2012-04-13 23:53 IPTables nullv
[not found] <047d7b10cb31c8716404bd5f56a7@google.com>
[not found] ` <e89a8ff2474fc99c5604bd608a88@google.com>
2012-04-11 13:06 ` IPTables Ethy H. Brito
2012-04-11 3:03 IPTables Al Grant
2012-04-11 3:45 ` IPTables Ethy H. Brito
2012-04-11 6:33 ` IPTables John Lister
2008-01-13 18:53 Can't set up transparent proxy on XO laptop P Zemlja
2008-01-13 22:44 ` G.W. Haywood
2008-01-14 7:45 ` iptables sa
2008-01-14 9:17 ` iptables G.W. Haywood
2008-01-15 13:12 ` iptables sa
2008-01-15 14:54 ` iptables G.W. Haywood
2006-10-19 5:08 IPTABLES tarak
2005-06-19 2:17 iptables s s
2005-05-18 21:04 Iptables Limbert Fuentes Quiroga
2005-01-31 11:31 iptables Alabama
2005-01-31 12:02 ` iptables John A. Sullivan III
[not found] ` <5.2.0.9.0.20050131135158.02a9dec0@poczta.interia.pl>
2005-01-31 13:18 ` iptables John A. Sullivan III
2005-01-31 11:16 iptables Andrzej
2004-09-28 5:07 Iptables Contact
2004-09-28 5:25 ` Iptables Rob Sterenborg
2004-09-28 8:19 ` Iptables Contact
2004-09-28 14:04 ` Iptables Jason Opperisano
2004-09-28 14:09 ` Iptables Aleksandar Milivojevic
2004-09-28 10:36 ` Iptables John A. Sullivan III
2004-09-28 14:27 ` Iptables Jose Maria Lopez
2004-05-27 17:51 iptables Alejandro Cabrera Obed
2004-02-27 2:23 iptables mustafa hassan
2004-01-31 8:39 Iptables Ivan Zagvozkine
2004-01-28 11:12 Iptables jean-francois fleury
2004-01-28 13:25 ` Iptables Jeffrey Laramie
2003-05-26 13:34 iptables Wan System S.R.L.
2003-05-26 15:27 ` iptables Pedro C. Arias
2003-04-28 18:29 IPTABLES lfps
2003-04-23 5:17 iptables Star Fire
2003-02-27 18:04 iptables Guss
2003-01-19 17:30 iptables VASIF MUSAOGULLARI
2003-01-21 11:42 ` iptables Erdal Mutlu
2003-01-17 9:20 IPtables Jet
2002-06-28 13:28 iptables luigicart
2002-06-28 13:45 ` iptables Antony Stone
2002-06-28 13:48 ` iptables Tom Eastep
2002-06-28 14:00 ` iptables Joe Patterson
2002-06-13 9:03 Iptables Paulo Andre
2002-06-11 2:24 iptables Matthew Hellman
2002-06-10 14:06 iptables Paulo Andre
2002-06-10 19:27 ` iptables Antony Stone
2002-06-11 2:23 ` iptables Matthew Hellman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050519193348.GA8623@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox